Add a module argument to pam_cap.so to assist with ambient support

Some PAM applications drop privilege when they change UID, which has
the side effect of dropping ambient capabilities. We add support for
the "keepcaps" argument which can be used in an attempt by the module
to not drop permitted capabilities when performing a setuid() call.
Some experimentation may be needed to see if this works for any given
application. To not be a security bug vector, it requires the application
so configured perform an exec() to launch a user-specific operation.

This is an attempt to provide some Adminstrator support for working
around the issue observed in this bug (report by Zoltan Fridrich):

https://bugzilla.kernel.org/show_bug.cgi?id=212945

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

0 files changed, 0 insertions, 0 deletions